SYSTEM MODEL KERBEROS OBJECTIVES PHYSICAL SECURITY TRUST: CONSOLIDATED KERBEROS MODEL TRUST: BILATERAL RHOSTS MODEL

Size: px

Start display at page:

Download "SYSTEM MODEL KERBEROS OBJECTIVES PHYSICAL SECURITY TRUST: CONSOLIDATED KERBEROS MODEL TRUST: BILATERAL RHOSTS MODEL"

Erika McKenzie
8 years ago
Views:

1 INFS 766 Internet Security Protocols Lecture 9 WORK- STATIONS SYSTEM MODEL NETWORK SERVERS NFS GOPHER Prof. Ravi Sandhu LIBRARY KERBEROS 2 PHYSICAL SECURITY KERBEROS OBJECTIVES CLIENT WORKSTATIONS None, so cannot be trusted SERVERS Moderately secure rooms, with moderately diligent system administration KERBEROS Highly secure room, with extremely diligent system administration provide authentication between any pair of entities primarily used to authenticate user-atworkstation to server in general, can be used to authenticate two or more secure hosts to each other on an insecure network servers can build authorization and access control services on top of 3 4 TRUST: BILATERAL RHOSTS MODEL TRUST: CONSOLIDATED KERBEROS MODEL B A C A B A trusts B A will allow users logged onto B to log onto A without a password A B C D E F E F G KERBEROS 5 6

KERBEROS Highly secure room, with extremely diligent system administration provide authentication between any pair of entities primarily used to authenticate user-atworkstation to server in general,

2 TRUST: CONSOLIDATED KERBEROS MODEL breaking into one host provides a cracker no advantage in breaking into other hosts authentication systems can be viewed as trust propagation systems the model is a centralized star model the rhosts model is a tangled web model WHAT KERBEROS DOES NOT DO makes no sense on an isolated system does not mean that host security can be allowed to slip does not protect against Trojan horses does not protect against viruses/worms 7 8 KERBEROS DESIGN GOALS KERBEROS DESIGN DECISIONS IMPECCABILITY no cleartext passwords on the network no client passwords on servers (server must store secret server key) minimum exposure of client key on workstation (smartcard solution would eliminate this need) CONTAINMENT compromise affects only one client (or server) limited authentication lifetime (8 hours, 24 hours, more) TRANSPARENCY password required only at login minimum modification to existing applications Uses timestamps to avoid replay. Requires time synchronized within a small window (5 minutes) Uses DES-based symmetric key cryptography stateless 9 10 KERBEROS VERSIONS NOTATION We describe version 4 as the base version version 5 fixes many shortcomings of version 4, and is described here by explaining major differences with respect to version 4 c client principal s server principal K x secret key of x (known to x and ) K c,s session key for c and s (generated by and distributed to c and s) {P}K q P encrypted with K q T c,s ticket for c to use s (given by to c and verified by s) A c,s authenticator for c to use s (generated by c and verified by s) 11 12

against Trojan horses does not protect against viruses/worms 7 8 KERBEROS DESIGN GOALS KERBEROS DESIGN DECISIONS IMPECCABILITY no cleartext passwords on the network no client passwords on servers

3 TICKETS AND AUTHENTICATORS SESSION KEY DISTRIBUTION T c,s = A c,s = {s, c, addr, time o, life, K c,s }K s {c, addr, time a }K c,s addr is the IP address, adds little removed in version 5 c, s {T c,s, K c,s } K c T c,s, A c,s Server USER AUTHENTICATION TRUST IN WORKSTATION for user to server authentication, client key is the user s password (converted to a DES key via a publicly known algorithm) untrusted client workstation has K c is expected to delete it after decrypting message in step 2 compromised workstation can compromise one user compromise does not propagate to other users AUTHENTICATION FAILURES KERBEROS IMPERSONATION Ticket decryption by server yields garbage Ticket timed out Wrong source IP address Replay attempt active intruder on the network can cause denial of service by impersonation of IP address network monitoring at multiple points can help detect such an attack by observing IP impersonation 17 18

algorithm) untrusted client workstation has K c is expected to delete it after decrypting message in step 2 compromised workstation can compromise one user compromise does not propagate to other

4 KERBEROS RELIABILITY USE OF THE SESSION KEY availability enhanced by keeping slave servers with replicas of the database slave databases are read only simple propagation of updates from master to slaves establishes a session key K c,s session key can be used by the applications for client to server authentication (no additional step required in the protocol) mutual authentication (requires fourth message from server to client {f(a c,s )}K c,s, where f is some publicly known function) message confidentiality using K c,s message integrity using K c,s Problem: Transparency user should provide password once upon initial login, and should not be asked for it on every service request workstation should not store the password, except for the brief initial login Solution: Ticket-Granting Service (TGS) store session key on workstation in lieu of password TGS runs on same host as (needs access to K c and K s keys) 21 c, tgs {T c,tgs, K c,tgs } K c 1 2 retained on the workstation deleted from workstation after this exchange (have to trust the workstation) 22 TICKET LIFETIME TGS Life time is minimum of: requested life time T c,tgs, A c,tgs, s {T c,s, K c,s } K c,tgs 3 4 max lifetime for requesting principal max lifetime for requesting service max lifetime of ticket granting ticket 5 Max lifetime is 21.5 hours Server T c,s, A c,s 23 24

fourth message from server to client {f(a c,s )}K c,s, where f is some publicly known function) message confidentiality using K c,s message integrity using K c,s 19 20 Problem: Transparency user

5 NAMING KERBEROS V5 ENHANCEMENTS Users and servers have same name format: Example: Mapping of authentication names to local system names is left up to service provider Naming V5 supports V4 names, but also provides for other naming structures such as X.500 and DCE Timestamps V4 timestamps are Unix timestamps (seconds since 1/1/1970). V5 timestamps are in OSI ASN.1 format. Ticket lifetime V4 tickets valid from time of issue to expiry time, and limited to 21.5 hours. V5 tickets have start and end timestamps. Maximum lifetime can be set by realm KERBEROS V5 ENHANCEMENTS KERBEROS INTER-REALM AUTHENTICATION V5 tickets are renewable, so service can be maintained beyond maximum ticket lifetime. Ticket can be renewed until min of: requested end time start time + requesting principal s max renewable lifetime start time + requested server s max renewable lifetime start time + max renewable lifetime of realm Realm 1 client shared secret key Realm 2 server KERBEROS INTER-REALM AUTHENTICATION KERBEROS DICTIONARY ATTACK V4 limits inter-realm interaction to realms which have established a shared secret key V5 allows longer paths For scalability one may need publickey technology for inter-realm interaction First two messages reveal knownplaintext for dictionary attack first message can be sent by anyone v5 has pre-authentication option to prevent this attack 29 30

500 and DCE Timestamps V4 timestamps are Unix timestamps (seconds since 1/1/1970). V5 timestamps are in OSI ASN.1 format.

How To Use Kerberos

How To Use Kerberos KERBEROS 1 Kerberos Authentication Service Developed at MIT under Project Athena in mid 1980s Versions 1-3 were for internal use; versions 4 and 5 are being used externally Version 4 has a larger installed